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Abstract 

In this paper bounded model checking of asynchronous concurrent systems is introduced as 
a promising application area for answer set programming. As the model of asynchronous 
systems a generalisation of communicating automata, 1-safe Petri nets, are used. It is 
shown how a 1-safe Petri net and a requirement on the behaviour of the net can be 
translated into a logic program such that the bounded model checking problem for the 
net can be solved by computing stable models of the corresponding program. The use 
of the stable model semantics leads to compact encodings of bounded reachability and 
deadlock detection tasks as well as the more general problem of bounded model checking 
of linear temporal logic. Correctness proofs of the devised translations are given, and some 
experimental results using the translation and the Smodels system are presented. 
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1 Introduction 

Recently, a novel paradigm for applying declarative logic programming techniques 
has been proposed. In this approach, called answer set programming (a term coined 
by Vladimir Lifschitz), a problem is solved by devising a logic program such that 
models of the program provide the answers to the problem <jLif99l IMT99I INie99jl . 
Much of this work has been based on the stable model semantics CQL88)) and 
there are efficient systems DLV (http://www.dbai.tuwien.ac.at/proj/dlv/) and 
Smodels (http://www.tcs.hut.fi/Software/smodels/) for computing stable 
models of logic programs. Using such an answer set programming system a problem 
is solved by writing a logic program whose stable models capture the solutions of 
the problem and then employing the system to compute a solution, i.e., a stable 
model. 

* This is an extended version of a paper titled "Bounded LTL Model Checking with Stable Mod- 
els" presented at the 6th International Conference on Logic Programming and Nonmonotonic 
Reasoning (LPNMR'2001), Vienna, Austria, September 2001. 

f The financial support of Academy of Finland (Projects 53695, 47754) and Foundation of Tech- 
nology (Tekniikan Edistamissaatio), Helsinki, Finland are gratefully acknowledged. 
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In this paper we put forward symbolic model checking l)BCM + 92l IUGP 99) as a 
promising application area for answer set programming systems. In particular, we 
demonstrate how bounded model checking problems of asynchronous concurrent 
systems can be reduced to computing stable models of logic programs. 

Verification of asynchronous systems is typically done by enumerating the reach- 
able states of the system. Tools based on this approach (with various enhancements) 
include, e.g., the Spin system l|Hol97|) . which supports extended finite state ma- 
chines communicating through FIFO queues, and the Petri net model based PROD 
tool (VHL97). The main problem with enumerative model checkers is the amount 
of memory needed for the set of reachable states. 

Symbolic model checking is widely applied especially in hardware verification. 
The main analysis technique is based on (ordered) binary decision diagrams (BDDs). 
In many cases the set of reachable states can be represented very compactly using 
a BDD encoding. Although the approach has been successful, there are difficulties 
in applying BDD-based techniques, in particular, in areas outside hardware veri- 
fication. The key problem is that some Boolean functions do not have a compact 
representation as BDDs and the size of the BDD representation of a Boolean func- 
tion is very sensitive to the variable ordering. Bounded model checking (BCCZ99) 
has been proposed as a technique for overcoming the space problem by replacing 
BDDs with satisfiability (SAT) checking techniques because typical SAT checkers 
use only polynomial amount of memory. The idea is roughly the following. Given a 
sequential digital circuit, a (temporal) property to be verified, and a bound n, the 
behaviour of a sequential circuit is unfolded up to n steps as a Boolean formula S 
and the negation of the property to be verified is represented as a Boolean formula 
R. The translation to Boolean formulas is done so that S A R is satisfiable iff the 
system has a behaviour violating the property of length at most n. Hence, bounded 
model checking provides directly interesting and practically relevant benchmarks for 
any answer set programming system capable of handling propositional satisfiability 
problems. 

Until now bounded model checking has been applied to synchronous hardware 
verification and little attention has been given to knowledge representation issues 
such as developing concise and efficient logical representation of system behaviour. 
In this work we study the knowledge representation problem and employ ideas used 
in reducing planning to stable model computation (Nic99). The aim is to develop 
techniques such that the behaviour of an asynchronous concurrent system can be 
encoded compactly and the inherent concurrency in the system could be exploited 
in model checking the system. To illustrate the approach we use a simple basic 
Petri net model of asynchronous systems, 1-safe Place/Transition nets (P/T nets), 
which is an interesting generalisation of communicating automata (DR98). Thus 
properties of finite state systems composed of finite state machine components can 
be verified using model checkers for 1-safe Petri nets. 

The structure of the rest of the paper is the following. In the next section we 
introduce Petri nets and the bounded model checking problem. Then we develop 
a compact encoding of bounded model checking as the problem of finding stable 
models of logic programs. We first show how to treat reachability properties such as 
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Fig. 1. Running Example 

deadlocks and then demonstrate how to extend the approach to cope with properties 
expressed in linear temporal logic (LTL). We discuss initial experimental results and 
end with some concluding remarks. 

2 Petri nets and bounded model checking 

There are several Petri net derived models presented in the literature. We will use 
P/T-nets which are one of the simplest forms of Petri nets. We will use as a running 
example the P/T-net presented in Fig. 2] 

A triple (P, T, F) is a net if PDT = and FC (PxT)U(TxP). The elements of 
P axe called places, and the elements of T transitions. Places and transitions are also 
called nodes. The places are represented in graphical notation by circles, transitions 
by squares, and the flow relation F by arcs. We identify F with its characteristic 
function on the set (P X T) U (T X P). The preset of a node x, denoted by 'x, is 
the set {y G PUT F(y,x) = 1}. In our running example, e.g., *t2 = {pl,p2}. The 
postset of a node x, denoted by x* , is the set {y G P U T \ F(x, y) — 1}. Again in 
our running example pi* — {t2, £3, t5}. 

A marking of a net (P, T, F) is a mapping P t— > IN. A marking M is identified 
with the multi-set which contains M(p) copies of p for every p G P. A 4-tuple 
£ = (P,T,F,Mq) is a net system (also called a P/T-net) if (P, T, P) is a net and 
Mo is a marking of (P, T, P) called the initial marking. A marking is graphically 
denoted by a distribution of tokens on the places of the net. In our running example 
in Fig. n the net has the initial marking Mo = {pl,p2}. 

A marking M enables a transition t G T if Vp G P : F(p,t) < M(p). If t is 
enabled, it can occur leading to a new marking (denoted M — » M'), where M' is 
defined by \/p G P : M'(p) = M(p) — F(p,t) + F(t,p). In the running example t2 
is enabled in the initial marking Mo, and thus Mo — > M', where M = {p3,p4}. 
A marking M is a deadlock if no transition t G T is enabled by M. In our running 
example the marking M = {pl,p5} is a deadlock. 

A marking M n is reachable in E if there is an execution, i.e., a (possibly empty) 
sequence of transitions to, t%, . . . , t„_i and markings Mi, M2, . . . , M n _i such that: 
Mq ^> Mi . . . M„_i ^ 1 M„. A marking M is reachable within a bound n, 
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if there is an execution with at most n transitions, with which M is reachable. 
The net system may also have infinite executions, i.e., infinite sequences of transi- 
tions to,t\, . . . and markings Mi, M 2 , ■ ■ ■ such that: Mq -4 Mi — lj > . . .. The maximal 
executions of a net system are the infinite executions of the net system together 
with the (finite) executions leading to a deadlock marking. 

A marking M is 1-safc if Vp G P : M(p) < 1. A P/T-net is 1-safc if all its 
reachable markings are 1-safe. We will restrict ourselves to finite P/T-nets which 
are 1-safe, and in which each transition has both nonempty pre- and postsets. 

Given a 1-safe P/T-net E, we say that a set of transitions S C T is concurrently 

enabled in the marking M, if (i) all transitions t G S are enabled in M, and (ii) 

for all pairs of transitions t, t' G S, such that f ^ t' , it holds that *t (~l *i' = 0. If a 

set S is concurrently enabled in the marking M, it can be fired in a step (denoted 
s 

M — ► M ), where M is the marking reached after firing all of the transitions in the 
step S in arbitrary order. It is easy to prove by using the 1-safeness of the P/T-net 
E that all possible inter leavings of transitions in a step S are enabled in M, and 
that they all lead to the same final marking M' . In our running example in the 
marking M' = {p3,p4} the step {tl, £4} is enabled, and will lead back to the initial 

marking Mq. This is denoted by M' ^ ll A, 4 ^ Mq. Notice also that for any enabled 
transition, the singleton set containing only that transition is a step. 

We say that a marking M n is reachable in step semantics in a 1-safe P/T-net if 
there is a step execution, i.e., a (possibly empty) sequences So, Si, ■ ■ ■ , S n _i of steps 

and Mi, M 2 ,...,M„_i of markings such that: M ^ M x ^ . . . M„_i M n . 
A marking M is reachable within a bound n in the step semantics, if there is a 
step execution with at most n steps, with which M is reachable. We will refer to 
the "normal semantics" as interleaving semantics. The infinite step executions and 
maximal step executions are defined in a similar way as in the interleaving case. 

Note that if a marking is reachable in n transitions in the interleaving semantics, 
it is also reachable in n steps in the step semantics. However, the converse does not 
necessarily hold. We have, however, the following theorem which implicitly follows 
from the results of (|H1387|) . 

Theorem 1 

For finite 1-safe P/T-nets the set of reachable markings in the interleaving and step 
semantics coincide. 

Linear temporal logic (LTL). The linear temporal logic LTL is one of the most 
widely used logics for model checking reactive systems, see e.g., (CGP99). The 
basic idea is to specify properties that the system should have using LTL. A model 
checker is then used to check whether all behaviours of the system are models of 
the specification formula. If not, then the model checker outputs a behaviour of the 
system which violates the given specification. 

Given a finite set AP of atomic propositions, the syntax of LTL is given by: 

ip ::=p G AP I -rnpi I ip x V ip 2 \ ¥>i A ip 2 | fi U tp 2 | <pi R(p 2 ■ 

Note that we do not define the often used next-time operator X ipi . This is a com- 
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monly used tradeoff which in our case allows the combination of the step semantics 
with LTL model checking. 

We use V = 2 AP as our alphabet. We denote by V + all finite sequences over V 
excluding the empty sequence, and with V u all infinite sequences over V. A word 
w G V + UV U is thus either a finite sequence w = xq x\ ... x„ or an infinite sequence 
w = x x\ . . ., such that Xi G V for all i > 0. For a word w wc define = x i} and 
denote by tuW the suffix of w starting at x t . When w G V + wc define |to| to be the 
length of the word to, and in the case to G V u wc define |to| = u where to is greater 
than any natural number. 

The relation to |= <f is defined inductively as follows: 

• to |= p iff p G tO( ) for p G AP, 

• to |= -«pi iff not to |= <pi, 

• w \= if i V f2 iff w \= fx or to |= (^2, 

• to |= f i A 952 iff w |= and to |= if 2, 

• to |= f\ U if 2 iff there exists < j < |to|, such that to^^ |= f 2 and for all 
< i < j, |= f>i, 

• to |= ifi R f>2 iff for all < j < |to|, if for every < t < j ioW ^ then 

We define some shorthand LTL formulas: T = p V -ip for some arbitrary fixed 
p G AP, _L = -iT, Of = (TUf), Uif = (±Rf), and fi —> f 2 = ~^fi V f 2 - The 
temporal operators are called: U for "until", R for "release", O for "eventually", 
and □ for "globally" . Our definition of the semantics of LTL above is somewhat 
redundant. This was done on purpose, as we often in this work use LTL formulas 
in positive normal form, in which only a restricted use of negations is allowed. To 
be more specific, an LTL formula is said to be in positive normal form when all 
negations in the formula appear directly before an atomic proposition. A formula 
can be put into positive normal form with the following equivalences (and their 
duals): -^^f = if, ^(<fi V <f2) = ~^fi A ^f2, and ->{<fi U f2) = ^fi R^f2- Note 
that converting a formula into positive normal form does not involve a blowup. 

Some examples of practical use of LTL formulas are: □-i(csiAcs 2 ) (it always holds 
that two processes are not at the same time in a critical section), 0(req — > Oack) (it 
is always the case that a request is eventually followed by an acknowledgement), and 
((□Osc/ii) A (nOsc/i2)) —* ( a (tri — > Ocsi)) (if both process 1 and 2 are scheduled 
infinitely often, then always the entering of process 1 in the trying section is followed 
by the process 1 eventually entering the critical section). 

Given a 1-safe P/T net S, we use a chosen subset of the places as the atomic 
propositions AP. A maximal (interleaving) execution M ^> Mi A . . . satisfies if 
iff the corresponding word to = (Mo n AP), (Mi n AP), . . . satisfies if. We say 
that S satisfies f iff every maximal execution starting from the initial marking Mo 
satisfies if. Alternatively, S does not satisfy if if there exists a maximal execution 
starting from M which satisfies -up. We call such an execution a counterexample. 
Notice that we restrict ourselves to maximal executions and thus our counterexam- 
ples are either infinite executions or finite executions leading to a deadlock (recall 
the definition of maximal executions). 
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The temporal logic LTL can specify quite complex properties of reactive systems. 
In many cases it suffices to reason about much simpler temporal properties. A typ- 
ical example is the reachability of a marking satisfying some condition C which in 
the LTL setting corresponds to finding a counterexample for a formula CHC. An 
important reachability based problem is deadlock detection. 

Definition 1 

(Deadlock detection) Given a 1-safe P/T-net E, is there a reachable marking M 
which does not enable any transition of E? 

Most analysis questions including deadlock detection and LTL model checking- 
are PSPACE-complete in the size of a 1-safe Petri net, see e.g., (Esp98). In bounded 
model checking we fix a bound n and look for counterexamples which are shorter 
than the given bound n. For example, in the case of bounded deadlock detection we 
look for executions reaching a deadlock in at most n transitions. It is easy to show 
that, e.g., the bounded deadlock detection problem is NP-complete (when the bound 
n is given in unary coding). This idea can also be applied to LTL model checking. 
In (BCCZ99) bounded LTL model checking is introduced. They also discuss how to 
ensure that a given bound n is sufficient to guarantee completeness. Unfortunately, 
getting an exact bound is often computationally infcasiblc, and easily obtainable 
upper bounds are too large. In the case of 1-safe P/T-nets they are exponential 
in the number of places in the net. Therefore the bounded model checking results 
are usually not conclusive if a counterexample is not found. Thus bounded model 
checking is at its best in "bug hunting" , and not as easily applicable in verifying 
systems to be correct. 

3 From bounded model checking to answer set programming 

In this section we show how to solve bounded LTL model checking problems using 
answer set programming based on normal logic programs with the stable model 
semantics. The basic idea is to reduce a bounded model checking problem to a 
stable model computation task, i.e., to devise for a P/T-net, a bound, and a tem- 
poral property to be checked a logic program such that the stable models of the 
program correspond directly to executions of the net within the bound violating 
the property. Then an implementation of the stable model semantics can be used 
to perform bounded model checking tasks. First we briefly review the stable model 
semantics (|GL88|) and discuss a couple of useful shorthands to be used in the en- 
codings as well as the basis of an answer set programming methodology with rules. 
Then we address the encoding of checking reachability properties and finally extend 
the approach to handle full LTL model checking. 

3.1 Stable model semantics 

For encoding bounded model checking problems we use normal logic programs with 
stable model semantics (GL88). A normal rule is of the form 

a <— bx, . ..,b m ,not a, . ..,not Cn (1) 
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where each a, bi, Cj is a ground atom. Models of a program are sets of ground atoms. 
A set of atoms A is said to satisfy an atom a if a S A and a negative literal not a if 
a $ A. A rule r of the form (JTJ is satisfied by A if the head a is satisfied whenever 
every body literal b\ , . . . , b m , not c\ , . . . , not c„ is satisfied by A and a program II 
is satisfied by A if each rule in II is satisfied by A (denoted A |= II). 

Stable models of a program are sets of ground atoms which satisfy all the rules 
of the program and are justified by the rules. This is captured using the concept of 
a reduct. For a program II and a set of atoms A, the reduct II A is defined by 

a <— b\, . . . , b m | a «— 61, . . . , b m , not ci, . . . , not c n €E II, 

{ci,...,Cn}nA = 0} 

i.e., a reduct II A does not contain any negative literals and, hence, has a unique 
subset minimal set of atoms satisfying it. 

Definition 2 

A set of atoms A is a stable model of a program II iff A is the unique minimal set 
of atoms satisfying II A . 

We employ three extensions which can be seen as compact shorthands for normal 
rules. We use integrity constraints, i.e., rules 

<-&i,...,& TO ,notci,...,notc„ (2) 

with an empty head. Such a constraint can be taken as a shorthand for a rule 

/ <— not /, 61, . . . , b m , not ci , . . . , not c„ 

where / is a new atom. Notice that a stable model A satisfies an integrity constraint 
© only if at least one of its body literals is not satisfied by A. 

For expressing the choice whether to include an atom in a stable model we use 
choice rules. They are normal rules where the head is in brackets with the idea that 
the head can be included in a stable model only if the body holds but it can be left 
out, too. Such a construct can be represented using normal rules by introducing a 
new atom. For example, the choice rule on the left corresponds to the two normal 
rules on the right where a' is a new atom. 

{a} <— 6, not c ~» a <— not a', 6, not c 

a' <— not a 

Finally, a compact encoding of conflicts is needed, i.e., rules of the form 

<— 2{ai,...,a n } (3) 

saying that a stable model cannot contain any two atoms out of a set of atoms 
{ai, . . . , a n }. Such a rule can be expressed, e.g., by adding a rule / <— not /, a,, a,, 
where / is a new atom, for each pair a,-, aj from {ai, . . . , a„}, i.e., using 0(n 2 ) rules. 
Choice and conflict rules are simple cases of cardinality constraint rules I^SOO). 
The Smodels system provides an implementation for cardinality constraint rules 
and includes primitives supporting directly such constraints without translating 
them first to corresponding normal rules. 
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A straightforward method of using logic program rules for answer set program- 
ming can be based on a generate and test idea. A set of rules plays the role of 
a generator capturing stable models corresponding to all candidate solutions and 
another set of rules, testers, eliminate the non- valid ones. A systematic way of using 
this method can be based on some simple modularity properties of stable model 
semantics which are given below as propositions where the first two are straight- 
forward consequences of the splitting theorem (|LT94 ) . 

The propositions play an important role in proving the correctness of our logic 
program encodings. The first one says that if rules defining new atoms are added, 
then a stable model of the original program can be obtained directly from a stable 
model of the extended program. Often a tester is encoded using a stratified set of 
rules and an integrity constraint. The next two propositions show that this does not 
introduce new stable models but extends the original ones and possibly eliminates 
some of them. 

Proposition 1 

Let LTi and II2 be programs such that the atoms in the heads of the rules in II2 do 
not occur in LTi . Then for every stable model A of IT U II2, An Atoms(IIi) is a 
stable model of IT where Atoms(IT) denotes the set of atoms appearing in IT. 

Proposition 2 

Let IT be a program and IT a stratified program such that the atoms in the heads 
of the rules in IT do not occur in IT. Then for every stable model Ai of IT there 
is a unique stable model A of IT U IT such that Ai = A n Atoms(IT). 

Proposition 3 

Let LT be a program. Then A is a stable model of II and satisfies an integrity 
constraint ic J2J) iff A is a stable model of LT U {ic}. 



3.2 Reachability checking 

Now we devise a method for translating bounded reachability problems of 1-safe 
P/T-nets to tasks of finding stable models. Consider a net N — (P, T, F) and a step 
bound n > 1. We construct a logic program TIa(N, n), which captures the possible 
executions of N up to n steps, as follows. 

• For each place p G P, include a choice rule 

MO)} - ■ (4) 

• For each transition t S T, and for all i = 0, 1, . . . , n — 1, include a rule 

{t{i)} ^ Pl {i),..., Pl (i) (5) 

where {pi, ■ ■ ■ ,pi} is the preset of t. Hence, a stable model can contain a 
transition instance in step i only if its preset holds at step i. 
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• For each place p G P, for each transition t in the preset of p, and for all 
i = 0, 1, . . . , n — 1, include a rule 

p(i + 1) <- t(i) . (6) 

These say that p holds in the next step if at least one of its preset transitions 
is in the current step. 

• For each place pGF, and for all? = 0, 1, . . . , n — 1, if the cardinality of the 
postset {ti, ■ . ■ , t;} of p is a least 2, include a rule 

< -2{t 1 (i) s ...,t,(i)}. (7) 

This rule states that at most one of the transitions that are in conflict w.r.t. 
p can occur. 

• For each place p, and for all i = 0, 1, . . . , n — 1, 

p(i + l) <- p(i), not *i (£),..., not (8) 

where ...,£/} is the set of transitions having p in their preset. This is the 
frame axiom for p stating that p continues to hold if no transition using it 
occurs. 

• Disallow execution of transitions followed by idling. For alH = 0, 1, . . . , n — 1, 
include rules 

idle(i) <— not ti(i), . . . , not tkii) <— idle(i + 1), not idle(i) (9) 

where {t%, . . . ,tf.} = T, i.e., the set of all transitions. These rules force all 
idling to happen at the beginning, followed by non-idling time-steps (if any). 

As an example consider net N in Fig. ^ for which program Uj^(N,n) is given in 
Fig. El 



{pl(0)} - 


<- 2{t2(i),t3(i),*5(i)} 




{ P 2(0)} «- 


pl(i + 1) <- pl(i), not t2(i) 




{ P 3(0)} <- 


p2(i + 1) <- p2(i), not t2(i), 


not £3(i) , 


{ P 4(0)} <- 


not t5(i) 




{p5(0)} <- 


p3(i + 1) <-p3(i),not tl(i) 




{«(<)} <-p3(<) 


p4(i + 1) <— p4(i), not t4(i) 




{t2(i)}^pl(i),p2(i) 


p5(i + 1) <— p5(i) 




{t3(i)}^p2(i) 


idle(i) «— not tl(«),not £2 (i 


, not i3(ij 


{t4(*)}«-p4(t) 


not t4(i), not £5 (i 


) 


{«5(*)}<-p2(i) 


<— idleii + 1), not idle(i) 




pl(i + l) ^tl(i) 






p2(i + 1) ^ t4(i) 


where i = 0, 1, . . . n — 1 




p3(i + 1) <- t2(i) 






p4(i + 1) <- t2(i) 






p4(i + 1) <- t3(i) 






p5(i + 1) <- t5(£) 






Fig. 2. Program I1a (A^, n) 







In 11a (A, n) the initial marking is not constrained. Next we show how to limit 
markings using rules, i.e., how to construct a set of rules Hm(C, i) that eliminates 
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all stable models which do not satisfy a given Boolean expression C of marking 
conditions at step i. The set IIm(C, i) includes the rule <— not c(i) and a set of 
rules defining c(i) by a systematic translation of the condition C at step i as ex- 
plained next. A Boolean expression C can be encoded with rules by introducing for 
each non-atomic subexpression of C a new atom together with rules capturing the 
conditions under which the subexpression is satisfied in the following way (NS00 ) . 
Given a Boolean expression C with connectives ->, V, A, every subexpression of C 
of the form -i<j> is mapped to a rule c-,^ <— not c^; a subexpression (j> A tp is mapped 
to C0 A i/> *- c^, cy, and <pVtf> to the two rules c^vi/> c <#> an d c 0vv> °ip where c^,, 
are new atoms introduced for the non-atomic subexpressions. These are not needed 
for the atomic ones, i.e., c a — a for an atom a. The conditions for a step i are then 
obtained by indexing all atoms with i. 

The encoding of marking conditions is illustrated by considering a condition 
C : pi A (-if>2 V ps) saying that p\ G M and (p2 M or ^3 G M) and a step i. Now 
the set of rules IIm(C, i) is 

<- not c(i) c^ P2 y P3 {i) <- c^ P2 (i) c^ P2 (i) <- notp 2 («) 

c («) ^Pl(*),C^ P2 v P3 («) C^ p2 vp 3 (i) <~P3(«) 

Our approach can solve a reachability problem for a set of initial markings given 
by a condition Co where the markings to be reached are specified by another con- 
dition C. 

Theorem 2 

Let N = (P, T, F) be a 1-safe P/T-net for all initial markings satisfying a condition 
Cq. Net N has an initial marking satisfying Co such that a marking satisfying a 
condition C is reachable in at most n steps iff ITm(Co,0) U Ha{N, n) U ITm (C,n) 
has a stable model. 

Proof 

See Appendix lA.il □ 

The deadlock detection problem is now just a special case of a reachability prop- 
erty where the rules IIm (C, n) exclude markings with some transition enabled. This 
set of rules is denoted by Hn (N, n) and it consists of the rule <— live and the pro- 
gram Hl(N, n) which includes for each transition t G T and its preset {pi, . . . ,pi}, 
a rule 

live «— pi(n), ... ,pi(n) . (10) 
For our running example, the rules IIl (N,n) are 

live <— p3(n) live <— pl(ri),p2(n) live «— p2(n) live <— p4(n) . 

3.3 Bounded LTL model checking 

Our strategy for finding counterexamples for LTL formula tp (i.e., executions satis- 
fying -i</?) is almost the same as in (BCCZ99). The main difference is that we allow 
the system under model checking to have reachable deadlocks, while their transla- 
tion does not allow this. This is also a difference to our previous work (HN01). 
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Our counterexamples have two basic shapes. On the left in Fig. [3] is a loop coun- 
terexample, and on the right is a counterexample without loop. Loop counterexam- 



M M (i _ x) 



■ i- 



+ 1) \il(n) 



Mq Mi . . . 



el(i — 1) nl{i) 



Fig. 3. Two counterexample possibilities 



pies specify an infinite execution, while counterexamples without a loop specify 
a finite execution. The arcs of the figure denote the "next state" of each state. 
Notice in the loop counterexample that if Mu-x) is equivalent to the last state M n , 
the state Mj is the "next state" of M n . The counterexamples without loop can 
additionally be divided into deadlock executions (ending in a deadlock state), and 
non-maximal executions (ending in a state which is not a deadlock). 

In the case of non-maximal executions our encoding is a cautious one, and we 
will find counterexamples which exist, no matter how the non-maximal execution 
is extended into a maximal one. (Recall that we have defined the semantics of LTL 
over maximal executions of the net system.) Finding non-maximal counterexample 
executions is in fact only an optimisation. It was introduced in (BCCZ99), and 
allows some counterexamples to be found with smaller bounds than would otherwise 
be possible. 

In the encoding we use the auxiliary atoms el(i), le, nl(i), il(i) with following 
intuition (see Fig. for an example). The el(i) atom is in a stable model for the 
state i that is equivalent with the last state n and le is in the model if a loop exists, 
i.e., some el{i) is in the model. The nl(i) atom is in a model for the "next state" i 
of the last state, while il(i) is in the model for all states i in the loop. 

Given an LTL formula / in positive normal form 1 (when the formula to be model 
checked is ip, the formula / is equivalent to -up with negations pushed in), and a 
bound n > 1 we construct a program IIltl(/, n ) a s follows. 

• Guess which state is equivalent to the last (if any). For all < i < n — 1 add 
rule 

«)}<"■ (11) 

• Disallow guessing two or more. (Guessing none is allowed though.) Add rule 

<- 2{eZ(0), el(l), . . . , el(n - 1)} . (12) 

• Check that the guess is correct. For all < i < n — 1, p £ P include rules 

<— el(i),p(i), not p(n) <— el(i),p(n), not p(i) . (13) 



1 Using the positive normal form is required to handle non-maximal counterex ample executions, 
for which the duality /i Rf2 = U -1/2) can not be used, see IBCCZ99I . 
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Formula type 


Translation 


Formula type 


Translation 


p, for p G AP 


m 


<-p(i) 


-ip, for p £ 


/(«) <- not p(i) 


h v /„ 


/(<) 
/(<) 


«-/*(*) 


/i A / a 


/(<)«- /i(0»/a(0 


fiUf 2 


/(<) 
/(<) 

/(n- 


- / a (») 

«- A (*),/(* + !) 
f 1) «-ni(i),/(i) 


hRh 


/««- MO, AW 

/a(*)./(* + l) 

/(n + 1) <-"*(*)>/(*) 
/(n + 1) <- Ze,not c(/) 

c (/) <~ not AW 
/(n) «— /2(n),not fee 



Fig. 4. Translation of an LTL formula / 



• Specify auxiliary loop related atoms. For all < i < n — 1, include rules 

le^el(i) nl(i + 1) <- e/(i) «(i + 1) <- eZ(i) «(i + 1) <- . (14) 

• Require that if a loop exists, the last step contains a transition to disallow 
looping by idling. Add the rule 

<— le, idle{n — 1) . (15) 

• Allow at most one visible transition in a step to eliminate steps which cannot 
be interleaved to yield a counterexample. For all < i < n — 1, add rule 

«-2{ti(i),...,tfc(i)} (16) 

where {ti, . . . , is the set of visible transitions, i.e., the transitions whose 
firing changes the marking of a place p appearing in the formula /. More 
formally, a transition t G T is visible, if there exists a place p G AP such that 
F(t,p)-F(p,t)^0. 

We recursively translate the formula / by first translating its subformulas, and then 
/ as follows. For all < i < n, add the rules given by Fig.Q] 2 Finally we require 
that the top level formula / should hold in the initial marking 

<- not /(0) . (17) 

With this program IIltl(/ 5 n ) we get our main result. 

Theorem 3 

Let / be an LTL formula in positive normal form and N — (P, T, F) be a 1-safe 
P/T-net for all initial markings satisfying a condition Co- If IIm(Co, 0) UTIa(-/V, n) U 
IIl(-/V, n) U IIltl(/, n) has a stable model, then there is a maximal execution of N 
from an initial marking satisfying Cq which satisfies /. 



2 An equivalence explaining the release translation: (/2 U (fi A /a)) V (Cl/2). 
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Proof 

See Appendix IA. 21 □ 

We also have the following completeness result for our translation. First we define 
the notion of a looping execution. A finite execution Mq ^> M\ — * . . . M n —\ M n 
is a looping execution, if n > 1 and there exists an index I < n such that Mi = M n . 
A looping execution together with the index I is a finite witness to the existence of 
the corresponding (infinite) maximal execution a of the net system N which visits 
the sequence of states M , Mi, . . . , Mi, Mj+i, . . . , Mj+i, . . . , Mfc, . . .. 

Theorem 4 

Let / be an LTL formula in positive normal form and N — (P, T, F) be a 1-safe 
P/T-net for all initial markings satisfying a condition Cq. UN has a looping or 
deadlock execution of at most length n starting from an initial marking satisfying 
Co such that some corresponding maximal execution a satisfies /, then Hm{Cq, 0) U 
U A (N, n) U n L (AT, n) U U hTL (f, n) has a stable model. 

Proof 

See Appendix IA. 31 □ 

The size of the program in Theorem[!5]is linear in the size of the net and formula, 
i.e., 0((\P\ + \T\ + \F\ + |/|) • n). The semantics of LTL is defined over interleav- 
ing executions. A novelty of the translation is that it allows concurrency between 
invisible transitions. 

We could simplify the LTL translation presented above in following ways. Firstly, 
if the net system is known to be deadlock free, the release translation in Fig. 0] can 
be simplified by removing the rule 

f(n) *— /2(n),not live, 

and also the (now unnecessary) subprogram I±l(-/V, n). 

Secondly, if we remove the possibility of obtaining non-maximal counterexample 
executions, the release translation can be removed fully by using the equivalence 
if\Rip2 = ~i {~><Pi U -xp2) and adding (the obvious) translation for negation. This 
can not be done when non-maximal counterexamples are used, because the equiva- 
lence does not hold in that case. As an example, one can not deduce from the fact 
that -iO -1 tp holds for a non-maximal execution a that □ ip holds for any maximal 
execution a' such that a is a prefix of a' . The non-maximal counterexample exe- 
cutions are quite valuable in practice, as using them violations to safety properties 
can be found with smaller bounds. Therefore we chose to use a more complicated 
translation for release. 

Forcing interleaving semantics. We can create the interleaving semantics versions 
of bounded model checking problems by adding a set of rules IIi(jV, n). It includes 
for each time step 0<i<rt — la rule 

<-2{t 1 (i),...,t m (i)} (18) 

where {t%, . . . , t m } is the set of all transitions. These rules eliminate all stable models 
having more than one transition firing in a step. 
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Corollary 1 

Let lis (N, n) be a program solving a bounded model checking problem in the 
step semantics using any of the translations above. Then the program lis (AT, n ) U 
Hi(N,n) solves the same problem in the interleaving semantics. 



3-4 Relation to previous work 

Logic programming techniques have been used to model checking branching time 
modal logics like the modal mu-calculus and CTL where model checking can be 
reduced to solving equations with least and greatest fixed points. A state of the 
art example of this approach is the XMC system l)RRS + 00|) which has been ex- 
tended to handle also linear temporal logic LTL using the standard tableau style 
approach (PROO). This method has the disadvantage that the size of the resulting 
tableau can be exponential w.r.t. the size of the temporal formula to be checked. 
The exponential worst case space complexity, which is present in typical LTL model 
checkers, is avoided in bounded model checking where the space complexity remains 
polynomial also w.r.t. the temporal formula. 

In previous work on bounded model checking little attention has been given to 
the knowledge representation problem of encoding succinctly the unfolded behavior 
and the temporal property. We address this problem and develop an encoding of 
the behavior of an asynchronous system which is linear in the size of the system 
description (Petri net) and the formula as well as in the number of steps. 

Our approach extends the previous work in several respects. Earlier research 
has been based on the interleaving semantics. Our work allows the use of the step 
semantics which enables the exploitation of the inherent concurrency of the system 
in model checking. The standard approach (BCCZ99) assumes that the system to 
be model-checked is deadlock-free while we can do LTL model checking for systems 
with reachable deadlocks. 

We develop a more compact encoding of bounded LTL model checking. Our 
encoding is linear in the size of the net, the formula and the bound. In (BCCZ99) 
the encoding is superlinear in the size of the formula. The paper provides no upper 
bound on the size w.r.t. the formula but states that it is polynomial in the size of the 
formula if common subexpressions are shared and quadratic in the bound. These 
same observations can also be made of the optimised version of the translation 
presented in ( CPRS02 ). The compactness of our encoding is due to the fact that 
the stable model semantics supports least fixed point evaluation of recursive rules 
which is exploited in translating the until and release formulas. 

For simple temporal properties such as reachability and deadlock detection our 
approach could be quite directly used as a basis for a similar treatment using 
propositional logic and satisfiability (SAT) checkers. This is fairly straightforward 
by using the ideas of Clark's completion and Fages' theorem |Fag94| as our en- 
coding produces acyclic programs except for the choice rules which need a special 
treatment. 
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4 Experiments 

We have implemented the deadlock detection and LTL model checking translations 
presented in the previous section in a bounded model checker boundsmodels 1 . 
which uses Smodels as the underlying stable model finder. The implementation 
performs the following optimisations when given a fixed initial marking Mq'. 

• Place and transition atoms are added only from the time step they can first 
appear on. Only atoms for places p(0) in the initial marking are created for 
time i = 0. Then for each < i < n — 1: (i) Add transition atoms for 
all transitions t(i) such that all the place atoms in the preset of t(i) exist, 
(ii) Add place atoms for all places p(i + 1) such that either the place atom 
p(i) exists or some transition atom in the preset of p(i + 1) exists. 

• Duplicate rules are removed. Duplicates can appear in Q and (|10fl . 

We compare boundsmodels to a state of the art model checker NuSMV 2.1.0 
(http : //nus mv. irst . itc . it/| | which contains two different model checking en- 
gines (ICCG+02|> . The first one (NuSMV/BMC) is a bounded LTL model checker 
based on the approach of (BCCZ99), and includes some further improvements pre- 
sented in HUPRS02|) . It uses as the underlying SAT solver the zChaff 2001.2.17 
(http://www.ee.princeton.edu/~chaff/) system l)MMZ + 01jl . The second engine 
(NuSMV/BDD) is an efficient implementation of a traditional BDD based model 
checker. 

As benchmarks we use a set of deadlock detection benchmarks collected by Cor- 
bett (|Cor95f) . and also hand-crafted LTL model checking problems based on these 
models. The Corbett models are available both as communicating automata, and 
in the input language of the NuSMV model checker. The communicating automata 
models were converted to 1-safe P/T-nets by Melzer and Romer (MR97J)- We use 
the models which have a deadlock, and are non-trivial to model check. 

In deadlock checking experiments for each model and both semantics we incre- 
ment the used bound until a deadlock is found. We report the time for Smodels 2 . 26 
to find the first stable model using this bound and the time used by the NuSMV model 
checker. In some cases a model could not be found within a reasonable time (3600 
seconds) in which case we report the time used to prove that there is no deadlock 
within the reported bound. 

The deadlock checking experimental results can be found in Tabled We use "*" 
to denote the fact that NuSMV ran out of 900MiB memory limit on DARTES(l) with 
both engines, so we could not make a comparison in this case. While performing 
state space size comparisons between Petri net and NuSMV models, we found prob- 
lems in the used communicating automata to Petri net translation, resulting in 
model differences in ELEV(x) and HART(x). Thus we also excluded these models 
from comparison denoting this in the table with "-" . 

The columns are: 

• Problem: The problem name with the size of the instance in parenthesis. 

• St n: The smallest integer n such that a deadlock could be found using the 
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Table 1. Deadlock Checking Experiments 



Problem 


St n 


St s 


Int n 


Int s 


Bmc n 


Bmc s 


Bdd s 


States 


DP(6) 


1 


0.0 


6 


0.1 


6 


0.2 


0.1 


728 


DP(8) 


1 


0.0 


8 


2.3 


8 


2.4 


0.1 


6560 


DP(10) 


1 


0.0 


10 


182.5 


10 


155.9 


0.2 


59048 


DP(12) 


1 


0.0 


>9 


707.3 


>8 


984.4 


0.2 


531440 


KEY(2) 


>29 


2089.7 


>29 


2227.8 


>30 


2531.9 


0.1 


536 


MMGT(3) 


7 


0.9 


10 


24.2 


10 


16.6 


0.2 


7702 


MMGT(4) 


8 


174.9 


12 


2533.4 


12 


84.9 


0.4 


66308 


Q(l) 


9 


0.0 


>17 


1051.4 


>11 


2669.8 


2.9 


123596 


DARTES(l) 


32 


0.4 


32 


0.4 


* 


* 


* 


> 1500000 


ELEV(l) 


4 


0.0 


9 


0.1 








163 


ELEV(2) 


6 


0.2 


12 


1.8 








1092 


ELEV(3) 


8 


1.9 


15 


94.2 








7276 


ELEV(4) 


10 


60.9 


>13 


656.8 








48217 


HART(25) 


1 


0.0 


>5 


0.4 








> 1000000 


HART(50) 


1 


0.0 


>5 


1.7 








> 1000000 


HART(75) 


1 


0.0 


>5 


5.1 








> 1000000 


HART(IOO) 


1 


0.0 


>5 


11.6 








> 1000000 



step semantics / in case of > n the largest integer n for which we could prove 
that there is no deadlock within that bound using the step semantics. 

• St s: The time in seconds to find the first stable model / to prove that there 
is no stable model. (See St n above.) 

• Int n and Int s: defined as St n and St s but for the interleaving semantics. 

• Bmc n and Bmc s: Same as Int n and Int s above, but for the NuSMV/BMC 
bounded model checking engine. 

• Bdd s: Time needed for the NuSMV/BDD engine to compute the set of reachable 
states and to find a state in that set which has no successors. 

• States: Number of reachable states of the model (if known). 

The time reported is the average of 5 runs where the timing is measured by the 
/usr /bin/time command on a lGiB RAM, 1GHz AMD (Thunderbird) Athlon PC 
running Linux. The time needed for creating the Smodels input was very small, 
and therefore omitted. 

The NuSMV/BMC engine did not directly support deadlock checking, so we had to 
modify the models slightly to add a proposition Live to all the models, which is true 
iff any transition is enabled. We then ask for counterexamples without a loop for 
the LTL property CI Live. With the NuSMV/BDD engine we use forward reachability 
checking combined with transition relation totality check limited to the reachable 
states. The default dynamic variable reordering method is used. We disable for these 
deadlock checking experiments a time consuming (and unnecessary for deadlock 
checking) fairness set calculation during NuSMV/BDD model initialisation. 
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Problem St n St s Int n Int s Bmc n Bmc s Bdd s States 



DP(6) 


7 


0.2 


8 


0.5 


8 


4.3 


64.8 


728 


DP(8) 


8 


1.5 


10 


5.7 


10 


64.0 


>1800 


6560 


DP(10) 


9 


25.9 


12 


140.1 


12 


1257.1 


>1800 


59048 


DP(12) 


10 


889.4 


14 


>1800 


14 


>1800 


>1800 


531440 



When comparing our bounded model checker on step and interleaving semantics 
we note that in many of the experiments the step semantics version finds a deadlock 
with a smaller bound than the interleaving one. Also, when the bound needed to 
find the deadlock is fairly small, our bounded model checker is performing well. In 
the examples ELEV(4), HART(x) and Q(l) we are able to find a counterexample 
only when using step semantics. In the KEY(2) example we are not able to find a 
counterexample with either semantics, even though the problem is known to have 
only a small number of reachable states. In contrast, the DARTES(l) problem has 
a large state-space, and despite of it a counterexample of length 32 is obtained. 

When comparing with NuSMV/BMC we observe that the step semantics translation 
is quite competitive, with only NuSMV/BMC being better on KEY(2) and MMGT(4). 
We believe this is mainly due to the smaller bounds obtained using steps. Somewhat 
surprisingly to us, NuSMV/BMC is also worse than interleaving on DP(12) and Q(l). 
This could be due to either translation or solver differences. 

The examples we have used have a small and fairly regular state space. Thus the 
NuSMV/BDD engine is very competitive on them, as expected. The only exception to 
this rule is DARTES(l), where for some reason the NuSMV/BDD engine uses more 
than 900 MiB of memory. Overall, the results are promising, in particular, for small 
bounds and the step semantics. 

We do not have a large collection of LTL model checking problems available to 
us. Instead we pick a model family, the dining philosophers problems DP(x), and 
use a hand-crafted LTL formula for each model. Because the NuSMV/BDD LTL model 
checking engine only works for deadlock free models, we remove all the deadlocks 
from these examples by making each deadlock state a successor of itself. 

The formulas to be checked are hand-crafted to demonstrate potential differences 
between |BCCZ99) and our proposed method. We study nested until formulas for 
which the translation of (BCCZ99) seems to be rather complex. In our model the 
atomic proposition fi.up has the meaning that fork i is available, and pi.eat has 
the meaning that philosopher i is eating. We model check the following formulas. 
For six philosophers we use the formula: 

->£lO(f 5 .up U (p 5 .eat A (fa.up U (p 3 .eat A (fi.up U pi.eat))))), 

for eight philosophers we use the formula: 



-iOO(fr.up U (p 7 .eat A(f 5 .up U (p 5 .eat A (fo.up U (pi.eat A (fi.up U pi.eat))))))), 
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and so on. The counterexample is a model for a formula of the form □0(95), where tp 
has deeply nested until formulas. Thus in a counterexample tp has to hold infinitely 
often. As an example, one way to make ip hold in the six philosophers case is to 
find a state where (jp^.eat Ap^.eat Api.eat) holds. 

The experimental results for the LTL model checking can be found in Table 
For this set of experiments we use the run time limit of 1800 seconds, and do not 
try smaller bounds when the limit is exceeded. The columns of the table are as in 
deadlock checking experiments, except that we are looking for a counterexample 
to the LTL formula. In these examples NuSMV is run with default dynamic BDD 
variable reordering on. 

The experiments show that the step semantics is able to obtain a counterexample 
for DP(12), while other methods are unable to. The NuSMV/BMC engine scales worse 
than the interleaving semantics translation. By investigating further, we notice that 
in DP(10) the zChaf f solver only takes 160.4 seconds, while the generation of the 
SAT instance for the solver takes almost 1100 seconds. We believe that a large part 
of this overhead is due to the size of the generated LTL model checking translation. 
The NuSMV/BDD based LTL model checker seems to be scaling worse than for the 
corresponding deadlock checking examples and it can be observed that the number 
of BDD operations required for LTL model checking is significantly larger. 

The used tools, models, formulas, and logic programs are available at 
http : //www. tcs .hut . f i/~kepa/experiments/boundsmodels/ 



5 Conclusions 

We introduce bounded model checking of asynchronous concurrent systems mod- 
elled by 1-safe P /T-nets as an interesting application area for answer set program- 
ming. We present mappings from bounded reachability, deadlock detection, and 
LTL model checking problems of 1-safe P/T-nets to stable model computation. 
Our approach is capable of doing model checking for a set of initial markings at 
once. This is usually difficult to achieve in current enumerative model checkers and 
often leads to state space explosion. We handle asynchronous systems using a step 
semantics whereas previous work on bounded model checking only uses the inter- 
leaving semantics (BCCZ99). Furthermore, our encoding is more compact than the 
previous approach employing propositional satisfiability (BCCZ99). This is because 
our rule based approach allows to represent executions of the system, e.g. frame ax- 
ioms, succinctly and supports directly the recursive fixed point computation needed 
to evaluate LTL formulas. Another feature of our LTL translation is that it does 
not require the deadlock freeness assumption used by ( BCCZ99), and thus we can 
employ it also with systems which have not been proved deadlock free. 

The first experimental results indicate that stable model computation is quite 
a competitive approach to searching for short executions of the system leading to 
deadlock and worth further study. More experimental work and comparisons are 
needed to determine the strength of the approach. In particular, for comparing with 
SAT checking techniques, it would be interesting to develop a similar treatment of 
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asynchronous systems using a SAT encoding and compare it to the logic program 
based approach. 

Relating the net unfolding method (sec (Hel99; MR97) and further references 
there) to bounded model checking would be interesting. There are also alternative 
semantics to the two presented in this work l|Hel01|) . applying them to bounded 
LTL model checking is left for further work. 
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Appendix A Proofs 

A.l Proof of Theorem^ 

We first recall our proof objective. Let N = (P,T,F) be a 1-safe P/T-net for all 
initial markings satisfying a condition Co- 

We want to prove that the net N has an initial marking satisfying Cq such that 
a marking satisfying a condition C is reachable in at most n steps iff LTm(Co;0) U 
Ua(N, n) U IIm(C, n) has a stable model. 

The proof is based on the following two lemmata which establish a correspondence 
between stable models of IIm(Co, 0) U I1a (-/V, n) and n-bounded step executions of 
the 1-safe P/T-net N. We say that a step execution 

a N , n (A)=M ^ M x ^ ...Mn-i S ^ M n (Al) 
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is derived from a stable model A if for all i = 0, . . . , n, Mi — {p E P p{i) E A} 
and for all i = 0, . . . , n - 1, Si = {t G T | G A}. 

Lemma 1 

Let iV = (P, T, F) be a 1-safe P/T-net for all initial markings satisfying a condition 
Co- If IIm(Co, 0) UIIa(^V, n) has a stable model A, then <7jv.n(A) is a step execution 
of N starting from an initial marking satisfying Co- 

Proof 

Consider a step execution crjv in (A) IjAlfl which is derived from a stable model A 
of I±m(Co,0) U ITa {N,n). Because A satisfies rules IIm(Co,0), then marking M 
satisfies condition Cq. Now we show that o~N, n (A) is a valid step execution starting 
from Mo by showing that if the step execution is valid up to marking Mi, then it 
is valid also up to Mj+i, i.e., M, -4 Mi + i holds for all i = 0, . . . , n — 1. Consider 
Si = {£ 6 T | t{i) E A}. As every stable model is supported, G A implies that 
there is a rule in IIm(Co, 0) U U\(N, n) with t(i) as the head and the body literals 
satisfied in A. The only candidate rule is (JSJ) and, hence, for every place p in the 
preset of t, p(i) G A and, thus, p E Mi. This implies that every transition t E Si is 
enabled in M%. Moreover, as A satisfies rules (J7J), Si is concurrently enabled in Mi. 

Given a marking Mi and a concurrently enabled step Si, Mi -4 Mi + i holds in 
a 1-safe net, if for all p G P, p G Mj+i iff 

(a) p E t* for some t E Si or (b) p E Mi and for all t E Si,p ^ *t. (A2) 

We complete the proof by showing that this holds for M»+i. Consider a place p E P. 

If p G Mj+i, then p(i + 1) G A. Hence, there is some rule in li^N^n) with 
p(i + 1) as the head and the body literals satisfied in A. There are two types of 
candidate rules © and (jSJ. In the case of ©, if the body is satisfied in A, t(i) E A 
and t G Si for a transition t with p E t' implying that Condition (|A2I a) holds. 
For ©, if the body is satisfied in A, then p E Mi and no transition having p in its 
preset is in Si. This implies that Condition <|A2I b) holds. 

(<;=) If Condition (|A2I a) holds for p E P, then there is some t{i) E A. Because a 
rule p(i + 1) <— t(i) of type © is in nA(A r , n), p(i + 1) G A and, hence, p E Mj+i. 
If Condition (|A2I b) holds for p E P, then p(i) E A and for all transition t with 
p E' *t, t(i) A. As A satisfies a rule (jHJl for p(i + 1), p(i + 1) G A and, hence, 
pEM l+1 . □ 

Lemma 2 

Let = (P, T, F) be a 1-safe P /T-net for all initial markings satisfying a condi- 
tion Cq. If there is a step execution a' of A without empty steps from an initial 
marking Mq satisfying Co containing n' < n steps, then there is a stable model 
A of n M (C o ,0) U U^(N,n) such that the derived step execution a = <7/v,„(A) = 

S Sl Sn-1 

Mq -4 Mi — > ... M„_i ^> M„ is a step execution of Af, such that a is the 
execution a' with n — n' empty steps added to the beginning. 



22 



Keijo Heljanko and Ilkka Niemeld 



Proof 

Let a' be a step execution from an initial marking Mo satisfying Co in nl < n steps. 
Then there is a step execution 

M % Mi ^ ...M n _i M„ (A3) 

where n — n' first steps are empty if n' < n, i.e., Sq = ■ ■ ■ = S n -n'-i — {} and 
Mo = --- = M n _ n /. 

Now consider a set of atoms 

A = {p(i) p £ Mi, < i < n} U 
{t(i) \t £ 5 l; < i < n} U 
{idZe(O), . . . , ic/Ze(n - n' - 1)} U 

{p'(0) \ peP- M } U | t £ T - Si, < i < n} U C(0) 

where C(0) are the atoms c/(0) corresponding to the subexpressions / of Condition 
Co that are satisfied in Mo. 

We show that A is a stable model of IT = I1m (Co, 0) U IlA.(iV, n) by establishing 
that (i) A |= n A and that (ii) if A' C A and A' |= n A , then A C A' which together 
imply that A is the minimal set of atoms satisfying II A . 

(i) By construction the rules in IIm(Co,0) a are satisfied by A. Now we consider 
other rules in IIa(^V, n) case by case and show that rules resulting from them in II A 
are satisfied. Rules resulting from (J2J and 10 are satisfied directly by construction 
of A because p(0) g A iff p'(0) £ A and t(i) g A iff t'{i) G A. Consider a rule © 
and assume that t(i) £ A. Now t £ Si with p £ t*. This implies that p £ Mj+i and, 
hence, p(i + 1) £ A. Each rule JJJ is satisfied by A because each Si is concurrently 
enabled implying that no Si can contain any two transition sharing place in their 
presets. Consider the reduct p(i + 1) <— p(i) £ U A of a rule (JHJ and the case where 
p(i) £ A. Now p £ Mi and for each transition t with p in its postset t(i) A. 
Hence, there is no transition with p in its preset in Si implying that p £ Mj+i and 
p(i + 1) £ A. Rules © are straightforwardly satisfied by construction of A. Hence, 
A |= n A holds. 

(ii) Consider a set A' C A such that A' |= n A . Assume that there is an atom 
x £ A — A'. This atom cannot be any p(0) for a place p because for each p(0) £ A 
there is a fact p(0) +—£ U A . Similarly, it cannot be any p'(0), t'(i) for some t £ T 
or idle(i) because also for each of these there is a corresponding fact in n A . 

Hence, x is either some p(i) with p £ P and < i < n or some t(i) with t £ T 
and < i < n. Now consider such an atom x with the smallest index i. Suppose 
x is some p(i) £ A — A'. Then p £ Mi which implies that (a) p £ t* for some t £ 
Si-i or (b) p £ Mj_i and for all t £ Si-%,p £ *t. In the case (a) there is some 
t(i — 1) £ A' and as A' satisfies a rule of type I© for p(i), p(i) £ A'. In the case 
(b), p(i) <— p(i — 1) £ n A and p(i — 1) £ A' which implies p(i) £ A'. Hence, in both 
cases p(i) £ A' holds implying that x must be some t(i) with t £ T and < i < n. 
As t(i) £ A, t £ Si implying that t is enabled and, hence, that every place p in 
the preset of t is in Mj. But then for every place p in the preset of t, p(i) £ A 
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and, hence, p(i) G A'. As A' satisfies the rule t(i) <— pi(i), . . . ,pi(i) <E I1 A where 
{pi, . . . ,pi} is the preset of t, t(i) G A', a contradiction. Thus, A C A'. □ 

Proof 

(of Theorem 01. 

{<=) If n M (C , 0) U U A (N, n) U n M (C, n) has a stable model A, then by Propo- 
sition n there is a stable model Ae — A n At of I1m (Co, 0) U IIa(-/V, n) where 
At = Atoms(IlM(Co, 0) U ITa(-/V, n)). By Lemma ^ °~N,n{^E) is a step execution 
of N starting from an initial marking satisfying Co- As A satisfies rule 11m (C,n), 
then the marking M n in o\/v „(Ab) satisfies condition C. 

(=>) If N has an initial marking Mq satisfying Co such that a marking M satis- 
fying condition C is reachable in at most n steps, then by Lemma |2]IIm (Co, 0) U 
U.A(N,n) has a stable model A^ such that the derived step execution <JN,n{&E) = 

S Si S n —i 

Mq -5 M\ — > . . . M n _i M„ is a step execution of AT and M = M n . 

The rules IIm(C, n) — not c(n)} are stratified and the heads do not occur 
in ITm(Co,0) U U.A{N,n). By Proposition there is a unique stable model A of 
n M (C , 0) U n A (A r , n) U n M (C, n) - {<- not c(n)} such that A E = AnAt where 
At = Atoms(n M (C , 0) U U.A(N,n)). As M„ satisfies condition C, then c(n) £ A 
and, hence, <— not c(n) is satisfied by A implying by Proposition that A is 
a stable model of Hm(Co,0) U Ha(N, n) U IIm(C n). This concludes our proof of 
Theorem □ 

A. 2 Proof of Theorem^ 

We first recall our proof objective. Let / be an LTL formula in positive normal 
form and N = (P,T,F) be a 1-safe P/T-net for all initial markings satisfying a 
condition Co- 

We want to prove that whenever we have a stable model A ltl of the program 
II = IIm(Co,0) U Ha{N, n) U Ili,(N, n) U IIltl(/, n) we can construct a maximal 
execution of the net system N from an initial marking satisfying Co which satisfies /. 

Our proof proceeds as follows. We first derive a step execution a' from the stable 
model A.ltl- We then create a maximal step execution a" from a' using an index 
< I < n also obtained from A^tl- After this we show that a maximal (interleav- 
ing) execution a can be obtained from a" such that a \= f iff a" |= /. Finally we 
show that a \= f . 

Lemma 3 

For the stable model Altl, there is a step execution a' of the net system N from 
an initial marking satisfying Co- 

Proof 

We first use Proposition □ with IIi = n M (C , 0) U n A (A, n) and U 2 = n L (A, n) U 
IIltl(/, n) to obtain a stable model Ai of the subprogram Hi. By Lemma ^ the 
execution a' = crjv in (Ai) is a step execution of N starting from an initial marking 
satisfying Cq. □ 
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Let Ai be the stable model and a' the step execution obtained in the proof of 
Lemma above. Now we show that by adding the rules LTl (N,n) we can evaluate 
whether the last marking reached by a' is a deadlock. 

Lemma 4 

Let Ai be a stable model of EL = IIm(Co, 0) U Ha(N, n) and A 2 a stable model of 
II2 = LTi U H^(N,n). Then live £ A2 iff the last marking reached by <JN,n(Ai) is 
not a deadlock. 

Proof 

The rules in H^(N, n) are stratified. Hence, by Proposition[5]A2 is the unique stable 
model of LT2 such that Ai = A2 (~l Atoms (LTi). If live £ A2, then there is some rule 
in H^(N,n) with its body satisfied by A 2 . As Ai = A 2 fl Atoms(IIi), the body 
is satisfied by Ai and, hence, there is an enabled transition in the last marking 
reached by <7/v- iT1 (Ai). In the other direction, if there is an enabled transition t in 
the last marking, then {pi(n), . . . ,Pi(n)} C Ai where {p\, . . ■ ,pi} is the preset of 
t. But then {pi(n), . . . ,pi(n)} C A2 and live £ A2. □ 

Hence, we can again use PropositionUwith Hi = IIm(Co, 0)UIIa(^V, n)UIIj J (N, n) 
and n2 = IIltl(/; n ) together with Lemma 01 to show that live £ Alt l iff the last 
marking reached by a 1 is not a deadlock. 

We now do a case analysis on three different types of counterexamples. The stable 
model Altl belongs to exactly one of the following three mutually exclusive cases: 

a) nl(l + 1) £ Altl for some < I < n— 1: infinite maximal execution which we 
will represent as a pair (a 1 , 1), where < I < n — 1 such that nl{l + \) £ Altl, 

b) nl(i + 1) g 1 Altl for all < i < n — 1, Ziue ^ A^tl- finite maximal execution 
which we will represent as a pair (a', n), or 

c) nl(i + 1) ^ A^rL for all < i < n — 1, Zwe G Altl'- non-maximal execution 
which we will also represent as a pair (o~',n). 

We will now analyse the stable model Altl- 

Lemma 5 

The following holds for the three different cases of Altl- 

a) If nl(l + 1) £ A LTL , then nl{i) £ A L tl for all i ^ (I + 1), le £ A LTL , 
il(i) £ Altl for alH + 1 < i < n and live £ Altl- 

b) If nl(i + 1) ^ Altl for all < i < n - 1 and live g A L tl, then le $ Altl, 
and Ziwe ^ A^tl- 

c) If nZ(i + 1) Altl for all < i < n — 1, and fcue e A^tl, then le g" Altl- 
Proo/ 

a) Because the only rule with nl(l + 1) as head is nl(l + 1) <— eZ(Z) we also get that 
eZ(Z) € A^tl- Because rule l)12|l is satisfied we know that for all i ^ I it holds that 
el(i) Altl- Because le <— el (I) £ H, we also know that le £ Altl- By using the 
rules + <— ei(i) and iZ(i + l) <— and the fact that el (I) £ Altl combined 
with simple induction we get that that il{i) £ Altl for all Z + 1 < i < n. The rules 
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(|13fl imply that p G M; iff p G M n . From the rule l|15(l and le G I^ltl we get that 
idle(n — 1) ^ltl and thus the step SVi-i is non-empty. Taking together that 
M; = M„ and that the step SVi-i is non-empty implies M n is not a deadlock, and 
thus live G A^tl- 

b,c) Because nZ(i + 1) ^ Altl for all < i < n — 1, we know also that eZ(i) ^ A-ltl 
for all < i < n — 1. Then as the only rules having le as head are the rules 1141) of 
the form le <— el(i), le ^ IS.lt l- 
□ 

We record some facts discovered in the proof of LemmaQ3 case a), in the following. 
Corollary 2 

In the case a) for a' it holds that Mi = M n and the step S n -\ is non-empty. 

We will next state an additional property of a' and show how a maximal step 
execution a" can be obtained given the pair (er', I). 

Lemma 6 

Each step of a 1 contains at most one visible transition. 
Proof 

We use Proposition with the rules Ijlfijl of the subprogram IIltl(/, n). □ 
Lemma 7 

For the stable model £±ltl there is a maximal step execution a" of the net system 
N from an initial marking satisfying Cq. 

Proof 

In all cases below Mq is the initial marking of a' and thus satisfies Co. 

In the case a) we know from Corollary[5]that Mi — M n and we can thus generate 
an infinite maximal step execution of N using the pair (a', I). The corresponding 
infinite step execution a" is 

M ^ Mi ^ ■ ■ ■ M„_i S ^ M n ^ M W S ±F • • ■ M„_i S ^ M„ a... 

We also know from Corollary [3 that the step S n -i is non-empty. Therefore a" 
contains infinitely many non-empty steps. 

In the case b) the step execution a" — a 1 will be a maximal step execution of N. 

In the case c) we can pick an interleaving execution a 1 " such that the concatena- 
tion of er' followed by a'" will be a maximal step execution a" of N. □ 

We can now state the existence of maximal executions given the stable model 
Lemma 8 

For the stable model Altl there is a maximal (interleaving) execution a of the net 
system N from an initial marking satisfying Cq. 
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Proof 

By using the procedure described above we can obtain the maximal step execution 
a" from Altl- 

By removing all idle time steps from the maximal step execution a" of N, and 
replacing each step by its linearisation, i.e, by some permutation of transitions that 
make up the step, we can construct a maximal interleaving execution er of N. The 
initial marking Mq of a" is also the initial marking of a and thus satisfies Cq . □ 

Let w,w',w" G V + U V u be the words corresponding to the step executions 
cr, a', a" discussed above, respectively. What we prove next is that w |= / iff w" \= f 
for the LTL formula /. 

We need a technical notion of stuttering equivalence for words. The intuition 
behind this equivalence is that if two words are stuttering equivalent, they sat- 
isfy exactly the same LTL formulas. 3 Our definition of stuttering equivalence is 
motivated by a similar definition in Chapter 10.2 of (CGP99) where also a longer 
discussion of its use can be found. 

Definition 3 

Two words v, v' £ V + U V u are stuttering equivalent when: 

• Both arc infinite words v, v' £ V", and there two infinite sequences of positive 
integers = io < i\ < i2 < ■ ■ ■ and = jo < ji < 32 < ■ ■ ■ such that for 
every k > : v [ik) = v [lk+1) = ... = u (i(fe+1) _i) - v\ jk) = v' (jk+1) = ...= 

"'Cj(»+i)-i)' or 

• both are finite words v, v' G V r+ , and there exist an integer n > 1 and two 
finite sequences of positive integers = io < ii < . . . < i n = \v\ and = jo < 
h < ■■■ < 3n = Kl such that for every < k < n : v^ ik) = V( ih+ i) = ... = 
v (Hk+i } -i) = v 'Uk) = v '(] k +i) =■■■ = w'(j (fe+1) -i). 

The following proposition can be proved using a simple induction on the structure 
of the formula / using the definition of LTL semantics. 

Proposition 4 

Let / be an LTL formula and v,v' be two stuttering equivalent words. Then v \= f 
iff xf h /• 

Lemma 9 

The words w and w" corresponding to the maximal execution a and the maximal 
step execution a" are stuttering equivalent. 



This property crucially depends on the non-existence of the next-time operator X(fi in our 
definition of LTL. 
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Proof 

Lemma El implies that each step in a' consists of at most one visible transition, 
and in case c) the suffix a'" is interleaving by definition. Thus each step of the 
execution a" contains at most one visible transition. Thus when a step is replaced 
by some linearisation in the proof of Lemma 03 the step is changed to (possibly 
empty) stuttering of the original atomic propositions, (possibly) followed by change 
in them, followed by (possibly empty) stuttering of the new atomic propositions. 
Thus each step is replaced by a stuttering equivalent sequence, implying that the 
whole sequence is stuttering equivalent. □ 

Lemma implies that if we correctly evaluate the LTL formula / for the word w" 
then we also correctly evaluate it for w. All we have to know to correctly evaluate 
the LTL formula for the word w" is to know the prefix word w' , the index I, and 
whether we are in case a), b), or c). The evaluation for case a) and b) will be exact, 
while the case c) will only be approximate, as in that case nothing is known about 
the suffix of the word w' . 

Evaluating the formula f. Assume we are given a finite word u G V + of length 
n+ 1, index < I < n, and knowledge whether we are in case a), b), or c). This 
induces a word y G V + U V u such that in the case a) y = u(u(' +1 )) w and in the 
cases b) and c) y = u. 

Given sufficient assumptions about a base program, call it lis, and its stable 
model As, we want to show that by adding to it the translation of formula / as 
given by Fig.^Jwe obtain a program lie, whose unique stable model Ac respects the 
semantics of LTL in the following sense for all three different cases and < i < n; 

a) /(*) G A c iff y w h / for y G V" , 

b) f (i) G A c iff y« |= / for y G V+, and 

c) if f(i) G A c then y' (= / for all y" G V + U V" such that y' = y (l) y". 

The case c) specifies only a prefix y of a word. Our encoding cautiously under- 
approximates the semantics of LTL formulas in the presence of uncertainty about 
the suffix y". 

Notice also that in the case a) the word y is cyclic, and the semantics of LTL 
follows the same cycle when i > I. Thus to evaluate, e.g., y( n+1 > \= f it suffices to 
evaluate y( l+1 ^ |= /. 

The assumptions on the program I1b and its stable model As are as follows: 

1. The atoms appearing as heads in the LTL translation do not occur in the 
program IL3. 

2. For all p G P, < i < n: p{i) G A B iff p(i) G y^y 

3. As is exactly one of the following three cases: 

a) nl(l + 1) G A s , nl(i) A B for all i ^ (I + 1), le G A B , il(i) G A B for 
all I + 1 < i < n, and live G Ab- 

b) nl(i + 1) £ A B for all < i < n - 1, le A B , and live £ A B - 

c) nl(i + 1) ^ As for all < i < n - 1, le A B , and live G As- 



28 



Keijo Heljanko and Ilkka Niemeld 



Lemma 10 

If the assumptions stated above hold for a base program lis and its stable model 
Ab, then a program lie obtained from 11^ by adding the translation of LTL for- 
mulas as given by Fig. 0] has a stable model Ac, which follows the semantics of 
LTL for all < i < n. 

Proof 

First we note that Assumption ^ above together with Proposition [21 and the fact 
that the translation as given by Fig. 0] is stratified imply that a stable model Ac 
of the combined program exists, and is unique. 

We now do the proof by induction on the structure of the formula /. Assume that 
the translation of the subformulas fa and fa follow the semantics of LTL. Then we 
prove that also the translation for / follows the semantics of LTL. 

We do a case split by the formula type: 

• / = p, for p G AP, or / = -ij>, for p £ AP: 

By Assumption above p(i) G Ac* iff p(i) G yu). 

• / = fa V fa, or / = /i A fa: 

The translation directly follows the semantics of LTL. 

• f = faUfa: 

We show that / follows the semantics of LTL for all < i < n by establishing that 
(i) it does that for i = n and that (ii) if / follows the semantics of LTL for i + 1, 
then it does for i. The proof is based on the following equivalence valid for the U 
operator for all < i < n: 

V {1) hhUfa iff 2/« h fa or h= h and y^ \= faU fa) (A4) 

(i) Suppose f(n) G Ac- In the cases b) and c) f(n + 1) £" Ac, implying that 
fa{n) G Ac because f(n) <— fa(n) is the only rule supporting f(n). Hence, y( n > \= f 
holds and y 1 \= f for any y' extending z/") in the case c). Consider now the case a). 
Suppose there is no fa(j) G Ac with I < j < n. Then for A' c = Ac — {/(j) I I < 
j < n}, A' c |= n^ c and A' c c Ac which implies that Ac is not a stable model of 
lie, a contradiction. Hence, there is some fa(j) G Ac with I < j < n. Take such 
fa(j) G Ac with the smallest index j. Suppose there is some fi(j') $ Ac with 
I < f < j. Now for A' c = A c - {/(/)}, A' c \= n£ c and A' c C A c implying 
that Ac is not a stable model of nc, a contradiction. Hence, for all I < j' < j, 
fi(j) G Ac- This implies by the inductive hypothesis that y( n ' \= f holds. 
Suppose y( n > \= f holds. Then in the case b) y( n > \= fa holds and hence, by rule 
f(n) ^- fa(n) G nc, f(n) G Ac- In the case a) there is some fa(j) G Ac with 
I < j < n, and for all I < j' < j, fi(j') G Ac- Then by rules in the translation of 
/•./>"> : A,, 

(ii) Suppose f(i) G Ac, i < n. Then there is a supporting rule in n^ c with f(i) 
in the head and the body literals satisfied in Ac- There are two candidate rules 
/(£) ^- fa(i) and f(i) <~ fi{i),f{i + 1)- By the inductive hypotheses in the first 
case j/W b= f 2 and in the second case y^' \= fa and y^ +1 *> \= f which imply by 
(|X4l) |= /. In the other direction for cases a) and b), if y^ \= fa then by (|A^|) 
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|= f L 2 or (j/M |= fa anc j yb+i) |= From these using the rules f(i) <— / 2 (i) and 
/CO *~ /(* + 1) m Ac and the inductive hypotheses follows that f(i) G Ac 

holds. 

• f = hRh- 

We show that / follows the semantics of LTL for all < i < n by establishing that 
(i) it does that for i = n and that (ii) if / follows the semantics of LTL for i + 1, 
then it does for i. 

(i) Consider first the case b). Now f(n + 1) A C - If /(n) G A c , then /(n) <— 
/ 2 (™) and /(n) <— / 2 (n),/i(n) are the only rules supporting f(n) in n^ . Hence, 
f2(n) G Ac, 2/^ |= / 2 and thus j/™* 1 |= /. In the other direction, if |= /, then 
y {n) h h implying f(n) G A c . In the case c) if f(n) G A c , /(n) <- / 2 (n),/i(n) 
is the only rule supporting /(n) in 11^° and hence j/™' |= fa A / 2 which implies 
y' \= f for any y' extending y^ n \ Thus for the cases b) and c) condition (i) holds. 
Now consider the case a) where we use the following equivalence between LTL 
formulas: 

y h h Rf2 iff v h (h U (fi A fa)) V (D/ 2 ). (A5) 
We consider two cases 

— y (n) h a /2 

In this case by l|A5() j/ n ) |= / but also / 2 (i) G Ac for all I < j < n which 
implies that c(f) g' Ac and f(n + 1) G Ac and hence /(n) G Ac- 

— y {n) ¥= □ / 2 

In this case by (£5) yW |= / iff yW |= (fa U {fa A fa))- Now we can show 
that y( n ' \= f iff /(n) G Ac using a similar argument as in the previous case 
for the U operator. This is because j/™' ^= n/ 2 implies that there is some 
/ 2 (j) ^ Ac with I < j < n. Hence, c(/) G Ac- Then the rules for f(i) in 
n^ c are 

/(*)«- / 2 (i),/i(i) 
/(i)«-/ 2 (i),/(i + l) 
/(n + l)<-nZ(i),/(t) 

which would be the evaluation rules for the U formula (fa U (fi A fa))- 

Hence, in both case j/™) |= / iff f(n) G Ac and thus for the case a) condition (i) 
holds. 

(ii) We use the following equivalence valid for all < i < n: 

y (l) \= fiRh iff y {l) h h A h or (y» h h and y^ \= fa R fa) (A6) 

If y« h /, then by jSU M»),/i(*) G A c or / 2 (i),/(* + 1) 6 A c , which imply 
f(i) G Ac- In the other direction, if f(i) G Ac, then there are two possible rules 
in n^ c supporting f(i): f(i) <- / 2 («),/i(«) and /(i) <- f 2 (i)J(i + !)• Hence, 
/ 2 (i),/i(i) G Ac or / a (t),/(t + 1) G A c , which imply by (jH that y« |= /. 
Hence, condition (ii) holds. 



□ 
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Final proof of Theorem^ Let Altl be a stable of the program II = IIm(Co,0) U 
n A (iV, n)UlI L (iV, n)un LTL (/, n). By Lemma|Hlwc can obtain from A ltl a maximal 
(interleaving) execution a of N from an initial marking satisfying Co . Consider now 
the subprogram Hb, which consist of IIm(Co, 0)UILa(^V, n) UIIl(-/V, n) and the rules 
(|TTt - l(TB|) of IIltl(/, n). By Proposition ^ and Lemma the stable model Altl 
projected on the atoms of satisfies the assumptions required by Lemma ITUl 
Now Lemma|7|and Lemma llOl with u = w' imply that if /(0) is in a stable model 
Altl, then for the word w" corresponding to the maximal step execution a" it 
holds that w" ^= /. Because the word w" is stuttering equivalent to the word w 
corresponding to a according to Lemma El Proposition 0] implies that if /(0) is in 
a stable model Altl, then a \= f. The rule l(TT|) implies that /(0) € Altl, and 
thus a |= /. This completes our proof of Theorem □ 

A. 3 Proof of Theorem^ 

We first recall our proof objective. Let / be an LTL formula in positive normal 
form and TV = (P,T,F) be a 1-safe P/T-net for all initial markings satisfying a 
condition Co- 

We want to prove that if N has a looping or deadlock execution of at most length 
n starting from an initial marking satisfying Co such that some corresponding 
maximal execution a satisfies /, then II = IIm(Co,0) U IL\(-/V, n) U Hh(N,n) U 
IIltiX/, n ) bas a stable model. 

We thus know that there is a deadlock or looping execution, call it er', of N of 
length n' such that n' < n and for some corresponding maximal execution a it 
holds that a \= f. 

There are now two mutually exclusive cases: 

a) a' is a looping execution. Notice that in this case S n i—\ = {t n '-i}, i.e., the 
last step is always non-empty. Without loss of generality we select the minimal 
index < I < n — 1 such that Mi — M n and such that the corresponding 
maximal execution a |= /, where a is the maximal execution which visits the 
sequence of states M , Mi, . . . , M h Mi +1 , M k ,M l+1 , M k , . . .. 

b) a' is a deadlock execution. In this case a = a' is a maximal execution such 
that a \= f. We now set I = n to differentiate from the previous case. 

Note that the case c) used in proof of Theorem [3] is not needed here, as we do 
not consider non- maximal executions. 

Lemma |21 implies that the program no = Hm(Co,0) U Ha(N, n) has a stable 
model A whose derived execution can be obtained from a' by adding n — n' empty 
steps at the beginning of the execution. 

We keep the name a' for the step execution derived by adding n — n' idle steps to 
the beginning of a', and add n — n' idle steps to the beginning of the corresponding 
maximal execution a. Also the loop point I is increased hy n — n' to compensate for 
the addition of idle steps. Clearly the obtained step execution a' is of length n, is a 
deadlock execution iff the original is, and is a looping execution iff the original is. 
Moreover, the corresponding maximal execution a satisfies the formula / also after 
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the addition of the idle steps, as the word w corresponding to a has n — n' extra 
copies of stuttering of the initial atomic propositions to it, which by Proposition 0] 
cannot be detected by any LTL formula. Therefore we can from now on assume 
that a' is of length (exactly) n. 

Now consider the program n 2 which consists of IIm(Co, 0) LUIaXAT, n)UU^(N, n) 
together with rules l(TTl) - ((TBl) of program Hltl(/, n). Given the pair (a', I) we will 
show that the program II2 has a stable model A2 capturing the essential properties 
of (a', I). 

Lemma 11 

Given the pair (er', I) we can construct a stable model A2 of the program II2 such 
that the two claims stated below hold for A 2 . 

1. For all p G P, < i < n: p(i) G A 2 iff p(i) G M, in a'. 

2. A2 is exactly one of the following two cases: 

a) E < I < n - 1, then nl(l + 1) G A 2 , nl(i) A 2 for all i ^ (I + 1), 
le G A 2 , il(i) G A2 for all I + 1 < i < n, and live G A 2 . 

b) If I = n, then nl{i + l) £ A 2 for all < i < n-l, le £ A 2 , and live g" A 2 . 

Proof 

In the proofs below, use case a) when < / < n — 1, and the case b) when I = n. 

We know that the first claim holds for the stable model Ao of the program IIo 
as a 1 has been derived from it. 

We also know from Lemma 0] and the fact that a' has been derived from the 
stable model Ao of IIo that the program Hi = IIo U IIl (N, n) has a stable model 
Ai, such that 

a) Ai = Ao U {live}, as a loop execution is not deadlocked after a' , or 

b) Ai = Ao, as a' is a deadlock execution. 

Given TIi and the stable model Ai, we will incrementally add rules to the program 
III whose head atoms do not appear in the program they are added into. At each 
step we prove that a stable model of the extended program exists. At the end we 
use Proposition^Jto project the final stable model A 2 on the atoms of IT obtaining 
Ai, which fulfils the first claim and part of the second claim. 

The rest of the second claim is proved incrementally by stating properties the 
stable models extending Ai will have, finally ending up with the stable model A 2 
of n 2 which satisfies also the rest of the second claim. 

1. First add the shorthand rules to IT obtaining the program II a . We show that 
a stable model A exists, which extends Ai as follows. We do case analysis: 

a) A Q = Ai U {el(l)} U {el{i)' \ < i < n - 1 such that i ^ 1} 

b) A a = Ai U \el{i)' \ < i < n - 1} 

In the case a) the shorthands 111(1 contribute to the reduct II^ a a fact el(l) «— and 
a fact el{i)' <— for every < i < n — 1 such that i ^ /. Clearly A a (= II^ a and, 
moreover, A a is the smallest such set A C A a because removing el(l) or one of 
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el(i)' would leave the corresponding fact unsatisfied. Hence, A a is a stable model 
of II a . The case b) is similar except that there is no fact el(l) <— in the reduct but 
a fact el(i)' <— for every < i < n — 1. 

2. Add the integrity constraints (|12|1 - 113|1 to IT obtaining n& . Now A;, = A a is a 
stable model of lib. In the case a) the integrity constraint l|12l) is satisfied because 
el(i) € A;, only for the index i = I. Because a' is a loop execution with Mi = Mk 
also all of the integrity constraints (|13|l are satisfied. In the case b) el{i) ^ At for 
all indices < i < n — 1, and thus the integrity constraint (|12(l is satisfied and also 
all of the integrity constraints (|13|) are satisfied. 

3. Add rules (|14|l to lib obtaining II C . The added rules are stratified, and thus by 
Proposition[2]a unique stable model A c exists, which extends A^ as follows. We do 
a case analysis: 

a) A c = A b U {le, nl(l + 1)} U \ l + l <i<n} 

b) A c = A b 

The proof in the case a) proceeds starting from the fact that el(l) £ A;,, from which 
we get {le, nl(l + 1), + 1)} e A c . We then get that {il(i) \ I + 2 < i < n} e A c 
by simple induction using the rules + 1) <— In the case b) el(i) £ Ab for 
all indices < i < n — 1 implies that the rules Ijl4|l are satisfied by A c , and thus 
A c is a stable model. 

4. Add the rule (|15|l to II C obtaining n^. This is an integrity constraint, which is sat- 
isfied in case a), as the step S n —i is non-empty in looping executions. The integrity 
constraint is also satisfied in case b), as le ^ A c . Thus A^ = A c is in both cases a 
stable model of 11^. 

5. Finally, add the integrity constraints l|16f) to 11^ obtaining II e . These integrity con- 
straints are always satisfied, as no time step in a' contains more than one transition. 
Thus A e = Ad will be a stable model of II e . 

By setting A2 = A e we have shown that A2 is a stable model of the program 
II2 = n e such that A2 projected on the atoms of B:i by Proposition ^ is Ai. This 
satisfies the first claim, and the part of the second claim concerning the atom live. 
The rest of the second claim has been incrementally proved in the cases above. □ 

Let II3 be the program which consists of n2 together with the translation of the 
LTL formula / as given by Fig. and let w 1 be the finite word corresponding to 
the execution a' . 

Lemma ITT1 and Lemma ITU1 with u — w' and 11^ = n 2 , and the fact that a |= / 
implies that the program II3 has a stable model such that /(0) e A3. (Recall that 
we do not use case c), and thus our evaluation of / on the corresponding maximal 
execution a is exact.) We can now add the constraint rule (jl7|) to the program IL3, 
and to obtain the full program II. Now because /(0) S A3 the integrity constraint 
(117(1 is satisfied, and we have found a stable model A = A3 of II. This completes 
our proof of Theorem 0] □ 



